[英]Keycloak custom PasswordHashProvider, salt change on each connection
我正在嘗試創建一個自定義 PasswordHashProvider。 組件創建成功,算法正常,數據庫中保存的密碼正確。
Salt存儲在數據庫中,但我不明白如何。 我以為是鹼基 64 鹽,但它不匹配。
database secret_data : {"value":"v8Po+hMGZbS2tWr4IGRXqy3FJyQIavjsrpXHwomWHwRRs+iRVInd+9naF681EENm76lF1omK+BqsPIRrtKH1VQ==","salt":"DEiO17h4/+6gwzxn"}
database credential_data : {"hashIterations":5000,"algorithm":"message-digest"}
創建密碼和連接用戶時,我會在控制台中添加日志。 生成、存儲鹽,但在連接期間檢索到的鹽在每次嘗試時都不同。
當我注冊用戶密碼時:
New salt : [B@7bb894a0
當我嘗試連接用戶時:
Existing salt: [B@d433036
// retry connection
Existing salt: [B@355bae9a
有誰知道鹽是怎么儲存的?
我的 class (對於測試我強制迭代到 5000):
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.credential.PasswordCredentialModel;
import java.util.Base64;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.nio.charset.StandardCharsets;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
public class MessageDigestPasswordHashProvider implements PasswordHashProvider {
private final int defaultIterations;
private final String providerId;
private byte[] salt;
public MessageDigestPasswordHashProvider(String providerId, int defaultIterations) {
this.providerId = providerId;
this.defaultIterations = defaultIterations;
}
@Override
public boolean policyCheck(PasswordPolicy policy, PasswordCredentialModel credential) {
int policyHashIterations = 5000;
return credential.getPasswordCredentialData().getHashIterations() == policyHashIterations
&& providerId.equals(credential.getPasswordCredentialData().getAlgorithm());
}
@Override
public PasswordCredentialModel encodedCredential(String rawPassword, int iterations) {
iterations = 5000;
byte[] salt = generateSalt();
this.salt = salt;
System.out.print("New salt : ");
System.out.println(salt);
String encodedPassword = encode(rawPassword, iterations);
return PasswordCredentialModel.createFromValues(providerId, salt, iterations, encodedPassword);
}
@Override
public String encode(String rawPassword, int iterations) {
iterations = 5000;
byte[] salt = this.salt;
System.out.print("Salt fonction encode :");
System.out.println(salt);
String salted = rawPassword + "{" + salt.toString() + "}";
byte[] digest = getSha512(salted.getBytes());
System.out.println(iterations);
for (int i = 1; i < iterations; i++) {
digest = getSha512(concat(digest, salted.getBytes()));
}
return Base64.getEncoder().encodeToString(digest);
}
@Override
public boolean verify(String rawPassword, PasswordCredentialModel credential) {
this.salt = credential.getSalt();
System.out.print("Existing salt: ");
System.out.println(this.salt);
String encodedPassword = encode(rawPassword, credential.getHashIterations());
return encodedPassword.equals(credential.getValue());
}
private static byte[] generateSalt() {
SecureRandom random = new SecureRandom();
byte salt[] = new byte[12];
random.nextBytes(salt);
return salt;
}
@Override
public void close() {
}
public static byte[] getSha512(byte[] value) {
try {
MessageDigest md = MessageDigest.getInstance("SHA-512");
byte[] messageDigest = md.digest(value);
return messageDigest;
}
catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
public static byte[] concat(byte[] a, byte[] b) {
byte[] c = new byte[a.length + b.length];
System.arraycopy(a, 0, c, 0, a.length);
System.arraycopy(b, 0, c, a.length, b.length);
return c;
}
}
Salt存儲在數據庫中,但我不明白如何。 我以為是鹼基 64 鹽,但它不匹配。
它基於 64。
生成、存儲鹽,但在連接期間檢索到的鹽在每次嘗試時都不同。
問題是這樣的:
System.out.print("New salt : ");
System.out.println(salt);
您沒有打印鹽的實際含量,而是打印 object “鹽”。
請嘗試:
System.out.println(Arrays.toString(this.salt));
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.